Please find a summary of PDPC enforcement actions for the period Sep 2016 below:


1. 21 Sep 2016: Aviva Limited (“Aviva”) and Toh-Shi Printing Singapore Pte Ltd (“TSP”) – AVIVA NOT IN BREACH, TSP FINED $25,000

On 9 Mar 2016, the PDPC was informed by Aviva that an incident involving the disclosure of the personal data belonging to 7,794 Aviva policyholders under a specific scheme/policy.  It was reported that erroneous annual premium statements for the year 2015 had been sent out to this group of policyholders.  TSP provides mail out services of all the correspondence for Aviva and data printing services for ad-hoc projects and is governed via a Service Agreement which required TSP to ‘put in place adequate security policies, procedures and controls to protect the confidentiality of personal data.

Notwithstanding the security measures and procedures implemented by TSP to protect the very sensitive financial data it processed on behalf of Aviva, the PDPC noted that TSP admitted that the data breach incident was caused by errors that occurred because its staff had failed to comply with the company’s own security measures and procedures.  Aviva was also investigated and found not to be in breach of the PDPA as they had demonstrated that they had undertaken an appropriate level of due diligence to assure themselves that TSP was capable of complying with the PDPA.

TSP was fined $25,000 for data breach and for not taking reasonable preventative steps before the personal data breach occurred.  A heavier fine was levied on TSP as it was the 2nd time in a year that TSP committed a breach and both of the data breach incidents involve similar fact patterns and causes.  In addition, a considerable number of individuals were affected as well as sensitive financial personal data was involved.


 2.  21 Sep 2016: Fu Kwee Kitchen Catering Services (“Fu Kwee”) and Pixart Pte Ltd (“Pixart”) – FU KWEE FINED $3,000, PIXART FINED $1,000

On 30 September 2014, the PDPC received a complaint against Fu Kwee Kitchen Catering Services (“Fu Kwee”) regarding an alleged data breach by Fu Kwee involving unauthorised access of Fu Kwee’s customers’ personal data due to various preventable vulnerabilities in Fu Kwee’s system.

Pixart was an IT vendor engaged by Fu Kwee in 2010 to (a) develop an online ordering system for Fu Kwee and Fu Kwee’s corporate website, and (b) host, support and maintain the website.  This contract between Fu Kwee and Pixart was only terminated sometime around April or May 2015. This contract did not contain a requirement to put in place security measures to protect such personal data.

Fu Kwee was fined $3,000 for being in breach of the Protection Obligation and the Openness Obligation (by failing to appoint a DPO or to implement access controls despite being notified in 2014) of the PDPA and had to comply with the following directions, including:

  1. All Fu Kwee employees handling personal data to attend a PDPA training course on the obligations under the PDPA;
  2. Security audit of Fu Kwee’s website to be performed by duly qualified competent contractors or staff and have the report furnished to the PDPC; and
  3. Fu Kwee to appoint a DPO and to develop and implement policies and practices to fully meet the obligations under the PDPA.

Pixart was also fined $1,000 for not complying with the Protection Obligation of the PDPA.

Although Fu Kwee had outsourced the hosting, support and maintenance of its online ordering system and corporate website to Pixart, Fu Kwee was ultimately responsible for the security of the website and customers’ personal data as if the personal data was processed by Fu Kwee itself.


3.  23 Sep 2016: ABR Holdings Pte Ltd (“ABR”) – WARNING

On 18 March 2014 and on 15 Jul 2014, the PDPC received complaints that by entering either a random 8-digit number as a simulated membership number or a simulated Unique Identification Number (UIN) number, one could access a Swensen’s Kids Club member account associated with that membership or UIN number and the member’s name and date of birth would be shown.

No password was required nor authentication in any other form needed before granting access.  ABR made changes to the website to remove the display of the member’s name and DOB on 5 Aug 2014 after the PDPC notified ABR of the further complaint.

The PDPC found that ABR’s use of membership numbers or UIN numbers did not constitute reasonable or adequate security arrangements for the personal data in its possession or under its control and ABR had failed to make reasonable security arrangements to protect personal data in its possession or under its control.

In view that the personal data disclosed was largely limited to members’ names and DOBs and ABR took prompt action to remedy the lapses, the PDPC decided to issue a Warning against ABR for the breach of its obligations under Section 24 of the PDPA.


4.  23 Sep 2016: Comfort Transportation Pte Ltd (“Comfort”) and CityCab Pte Ltd (“CityCab”) – COMFORT AND CITYCAB NOT IN BREACH

On 15 August 2014 and 22 August 2014, the PDPC received complaints against Comfort and CityCab respectively for disclosing personal mobile phone numbers of taxi drivers to customers who booked their respective taxis.  It was alleged that their mobile numbers constitute personal data, and Comfort and CityCab are obliged to protect such data in accordance with the PDPA and not disclose this personal data to customers without their prior consent.

After investigating, the PDPC concludes that the taxi drivers’ mobile phone numbers were, at the material time, disclosed and used as business telephone numbers and accordingly, are the business contact information of the taxi drivers, thereby, exempting Comfort and CityCab from complying with Parts III to IV of the PDPA in respect of the mobile phone numbers.

The PDPC ruled that there were no breaches found at Comfort and CityCab and that Comfort and CityCab did not contravened the PDPA, and no further action was taken against them under the PDPA.


5.  30 Sep 2016: GMM Technoworld Pte Ltd (“GMM”) – GMM FINED $3,000

On 3 March 2016, the PDPC received a complaint regarding the alleged disclosure of personal data on the GMM’s corporate website.  This website was created on a WordPress platform for the purpose of marketing its products.  The website was hosted on a third party server and comprised several publicly accessible webpages, including a warranty feature.

This online warranty registration form was created using Formidable Forms, a third-party paid plug-in for WordPress, which allowed for the capture of personal data on the website.  Personal data to be provided included the customers’ names, email addresses, mobile phone numbers and residential addresses.  One of the functions of the plug-in was dynamically listing and displaying on the webpage the personal data that was collected on the website.  GMM stated that it was unaware of this function and had thought that the personal data that was collected was only viewable by the administrator of the website.

As a result of GMM’s misunderstanding and incorrect use of the plug-in, personal data of approximately 190 individuals collected was publicly displayed on the webpage.  After being notified of the breach, GMM undertook certain corrective actions to rectify this unauthorised disclosure.

GMM was fined $3,000 for being in breach of the protection obligation under section 24 of the PDPA.  GMM’s lack of awareness of a plug-in’s actual functions, its wrong use of the plug-in, and failure to take steps to configure it appropriately was not a valid excuse as it led to the unauthorised disclosure of the personal data of approximately190 individuals.  Ultimately, ignorance is not bliss.


Contact P2D Solutions now if you have a PDPA related query about your organisation!

Enforcement

TALK TO US TODAY

For more information on how we can help your company comply with the PDPA easily and cost-effectively, contact us for a FREE consultation.

SERVICES
CONTACT US